cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Member

Canvas .well-known/openid-configuration endpoint for LTI Tools

If I understand the LTI 1.3 specs correctly, it sits on top of the OpenId Connect specs. According to the specs in section 4, Final: OpenID Connect Discovery 1.0 incorporating errata set 1 , there should be a .well-known/openid-configuration endpoint. I do not see that Canvas provides this endpoint. Are there plans to add it?

Labels (2)
Tags (2)
2 Replies
Highlighted
Navigator

chase.willden@stukent.com my understanding is that LTI 1.3 extends the OpenID Connect Core in a way which doesn't require that particular discovery endpoint. Third-party login initiation is the key piece of OIDC Core utilized. For more on how LTI 1.3 builds on that part of OIDC, consult this part of the IMS Security Framework 1.0 public document.

And, assuming I'm not mixing up meanings of discovery here, the Canvas platform's implementation of LTI 1.3 provides an authorization endpoint which redirects from a consistent URL, helping to ensure an authorized issuer regardless of the Canvas instance where the tool launch is happening. See step 2 here:

0 Kudos
Highlighted
Instructure
Instructure

You are correct, Canvas doesn't have support for this yet, but we do plan to support it in the future.

The IMS LTI working group has a proposed specification in progress to add support for this as an additional capability similar to Names and Roles Provisioning Service to compliment LTI 1.3 and its use of OIDC. We have a few challenges we need to figure out as we work through adding this support. The specification allows for tools to not only register through the well known endpoint, but to also send through updates. We'd like to support both capabilities.

With more schools/institutions concerned about what data they are approving access to, we'll have to consider how updates can go through an approval process by Canvas admins before they can work within their respective Canvas accounts.